Deputy Secretary of Defense Speech

Press Operations

Speech

Remarks on Cyber at the RSA Conference

As Delivered by William J. Lynn, III, San Francisco, California, Tuesday, February 15, 2011

Thank you again to RSA for recognizing the Defense Department’s contributions to cyber policy.

This is without question the most technically sophisticated audience I have addressed. So it is with some reservation that I stand before you today.

When it comes to information technology, I am of an “in-between” age. I am not too old to have shunned technology altogether. I use a computer, a blackberry, even an iPad. But I lack the intuitive understanding of those who have grown up in the digital age. In other words, I have no idea how these devices actually work. I stopped my education at being able to program my VCR.

Fortunately, the young men and women who make up most of our military are much more adept than me. They, like you, are digital natives. And the information technologies that they operate have revolutionized how the military organizes, trains, and fights. Information technologies are at the core of our most important military capabilities. They give us the ability to navigate with accuracy, communicate with certainty, see the battlefield with clarity, and strike with precision.

But for all the wonderful capability technology enables in our military, it also introduces enormous vulnerabilities. We learned the hard way in 2008 when a foreign intelligence agency used a thumb drive to penetrate our classified computer systems—something we thought was impossible. It was our worst fear: a rogue program operating silently on our system, poised to deliver operational plans into the hands of an enemy.

Today I want to discuss the development of the cyber threat, how that threat might manifest itself, and, finally, how we—government and industry—can work together to keep America safe in the digital age.

To date, the most prevalent cyber threat has been exploitation of our networks. By that, I mean the theft of information and data from both government and commercial networks. On the government side, foreign intelligence services have ex-filtrated military plans and weapons systems designs. Commercially, valuable source code and intellectual property has likewise been stolen from business and universities. The recent intrusions in the oil and gas sector and at NASDAQ join those that occurred at Google as further, troubling instances of a widespread and serious phenomenon.

This kind of cyber exploitation does not have the dramatic impact of a conventional military attack. But over the long term it has a deeply corrosive effect. It blunts our edge in military technology and saps our competitiveness in the global economy.

More recently, a second threat has emerged—and that is disruption of our networks. This is where an adversary seeks to deny or degrade the use of an important government or commercial network. This happened in the denial of service attacks against Estonia in 2007 and Georgia in 2008. And it occurred when the hacker group Anonymous targeted eBay and Paypal. The effect is usually reversible. But the resulting economic damage and loss of confidence may not be.

To this point, the disruptive attacks we have seen are relatively unsophisticated in nature, short in duration, and narrow in scope. In the future, more capable adversaries could potentially immobilize networks on an even wider scale, for longer periods of time.

The third and most dangerous cyber threat is destruction, where cyber tools are used to cause physical damage. This development—which marks a strategic shift in the cyber threat—is only just emerging. But when you look at what tools are available, it is clear that this capability exists. It is possible to imagine attacks on military networks or critical infrastructure—like our transportation system and energy sector—that cause severe economic damage, physical destruction, or even loss of life.

Of course, it is possible that destructive cyber attacks will never be launched. Regrettably, however, few weapons in the history of warfare, once created, have gone unused. For this reason, we must have the capability to defend against the full range of cyber threats. This is indeed the goal of the Defense Department’s new cyber strategy, and it is why we are pursuing that strategy with such urgency.

Our cyber strategy recognizes that we are in the midst of a strategic shift in the cyber threat. The threat is moving up a ladder of escalation, from exploitation to disruption to destruction. As this threat continues to mature, there are several ways it may materialize.

Today, the highest levels of cyber capabilities reside in nation-states. Thus far, nation-states have primarily deployed their capabilities to exploit adversaries’ networks, rather than to disrupt or destroy them. More than 100 foreign intelligence agencies have attempted intrusions on our networks, but these intrusions are largely limited to exploitation. Although we cannot dismiss the threat of a rogue state lashing out, most nations have no more interest in conducting a destructive cyber attack against us than they do a conventional military attack. The risk for them is too great. Our military power provides a strong deterrent.

So even though nation-states are the most capable actors, they are the least likely to initiate a catastrophic attack in current circumstances. We nevertheless must prepare for the likelihood that cyber attacks will be part of any future conventional conflict. We need cyber capabilities that will allow us to defend against the most skilled nation-state.

Of greater concern in the near term is the accidental release of toxic malware. A destructive tool could inadvertently escape its creator and be let loose “in the wild.” Certain types of malware can propagate worldwide in minutes. The accidental spread of toxic malware may not cause as much damage as a pre-meditated attack, but it could nevertheless be a potential source of disruption for critical networks. We have to take the accidental release scenario seriously. To prevent something as trivial as a thumb drive stuck in the wrong computer from having a calamitous effect on the global economy, we need defenses that can stop toxic malware.

Perhaps the greatest concern in our judgment is a terrorist group that gains the level of disruptive and destructive capability currently possessed by nation-states. Al Qaeda, which has vowed to unleash cyber attacks, has not yet done so. But it is possible for a terrorist group to develop cyber attack tools on their own or to buy them on the black market. As you know better than I, a couple dozen talented programmers wearing flip-flops and drinking Red Bull can do a lot of damage. And with few tangible assets to lose in a confrontation, terrorists groups are difficult to deter. We have to assume that if they have the means to strike, they will do so.

We stand at an important juncture in the development of cyber threats. More destructive tools are being developed, but have not yet been used. And the most malicious actors have not yet laid their hands on the most harmful capabilities. But this situation will not hold forever. Terrorist organizations or rogue states could obtain and use destructive cyber capabilities. We need to develop stronger defenses before this occurs. We have a window of opportunity—of uncertain length—in which to gird our networks against more perilous threats.

The Defense Department is moving aggressively to counter this evolving threat. Over the past two years, we have deployed specialized active defenses to protect military networks. We have established the U.S. Cyber Command to operate and defend our networks. We have begun discussions with our allies on implementing shared cyber defenses. And we are in the final stages of review of a comprehensive cyber strategy, called Cyber 3.0.

That strategy is based on five pillars.

First, the Defense Department has formally recognized cyberspace as a new domain of warfare—like land, air, sea and space. Treating cyberspace as a domain means that the military needs to operate and defend its networks, which is why we established U.S. Cyber Command. It also means that the military services need to organize, train, and equip forces to perform cyber missions. Each of the services has recently created organizations to do just that. In short, to maintain our national security, our military must be as capable in this new domain as it is in the more traditional domains.

Second, we have equipped our networks with active defenses. It is not adequate to rely on passive defenses that employ only after-the-fact detection and notification. We have developed and now employ a more dynamic approach to cyber defense. Active defenses operate at network speed, using sensors, software, and signatures derived from intelligence to detect and stop malicious code before it succeeds. Because sophisticated intrusions will not always be caught at the boundary, active defense also enables us to hunt on our own networks and to cordon and deflect malicious software. Although no network will ever be 100 percent secure, active defenses have significantly enhanced the security of the .mil domain.

Third, we must ensure that the critical infrastructure on which our military relies is also protected. The threats we face in cyberspace target much more than military systems. Cyber intruders have already probed many government networks, our electrical grid, and our financial system. Secure military networks will matter little if the power grid goes down or the rest of government stops functioning—which is why the Department of Homeland Security’s cyber mission is so crucial.

Secretary Napolitano spoke here last year about her Department’s efforts to protect the .com and .gov domains. I am pleased to follow her this year to discuss how the military provides support to DHS in the cyber domain.

During a natural disaster, like a hurricane, military troops and helicopters are often used by FEMA to help deliver relief. In a similar vein, the military’s cyber capabilities will be available to civilian leaders to help protect the networks that support government operations and critical infrastructure. As with all cases of military support to civilian authorities, these resources will be under civilian control and used according to civil laws.

This is why we established a formal partnership with DHS in October 2010. Through pilot programs like Einstein 3, military technologies—including active defenses—are being used by DHS to secure government networks. We have also established a joint planning capability and exchange of personnel—including in our cyber watch centers. These initiatives substantially enhance the federal government’s ability to confront cyber threats.

Fourth, we are building collective defenses with our allies. Just as our air defenses are linked to those of our allies to provide warning of aerial attack, so too can we cooperatively monitor our computer networks for cyber intrusions.

The fifth pillar of our strategy is to marshal our country’s vast technological and human resources to ensure the United States retains its preeminent capabilities in cyberspace, as it does in other domains. I want to spend the remainder of my time discussing this aspect of the strategy and its implications for private industry.

Cyber 3.0 is an important milestone for our Department. But even if we execute it flawlessly, the fact is that the government cannot protect our nation alone. Cyber defense is not a military mission, like defending our airspace, where the sole responsibility lies with the military. The overwhelming percentage of our nation’s critical infrastructure—including the internet itself—is largely in private hands. It is going to take a public-private partnership to secure our networks.

To be successful, I believe we need to pursue several avenues of industry-government cooperation.

The first is information sharing. Telecommunications providers have unparalleled visibility into global networks. They can detect attacks transiting their systems, and in many cases alert customers. Often, they have the best operational capacity to respond.

We are working with key technology and defense companies to exchange information that improves cyber security practices and capabilities. Senior executives now meet regularly with top officials from the Department of Defense, Department of Homeland Security, and the Director of National Intelligence. This public-private partnership, called the Enduring Security Framework, not only helps identify vulnerabilities. It also mobilizes government and industry expertise to address security risks before harm is done.

The second avenue of public-private cooperation involves working to reverse the current advantage held by intruders seeking to penetrate networks.

The internet was designed to be open, transparent, and interoperable. It was designed to ensure the broad flow of information and the easy introduction of new technology. Security and identity management were secondary objectives in system design. These structural properties have endowed the internet with undeniable dynamism. But they have also given attackers a built-in advantage.

You can see just how significant this advantage is by comparing anti-virus software to the malware it attempts to defeat. Sophisticated anti-virus suites now run on about ten million lines of code. This is up from one million lines ten years ago. Yet malware written with as little as 125 lines of code has remained able to penetrate anti-virus software across this same period.

Because of this imbalance between offense and defense, we need the scientific community to help strengthen our network architecture. We must embed higher levels of security and authentication in hardware, operating systems, and network protocols. The National Strategy for Trusted Identities in Cyberspace, a White House initiative, will lay one building block of this more secure future. Our digital infrastructure will not change overnight, but over the course of a generation we have a real opportunity to engineer our way out of some of the most problematic vulnerabilities of today’s technology.

To help spur this effort, the Department of Defense will add half a billion dollars in new research funds for cyber technologies, with a focus on areas like cloud computing, virtualization, and encrypted processing. Through our “Cyber Accelerator” pilot, we are also providing seed capital for companies to develop dual-use technologies that serve our cyber security needs.

Of course, it is not enough just to develop innovative cyber technologies. We must also accelerate the introduction of them inside the Department.

It currently takes the Pentagon 81 months to field a new computer system. The iPhone was developed in just 24 months. That is less time than it takes us to prepare a budget and receive Congressional approval for it. This means I get permission to start a project at the same time Steve Jobs is talking on his new iPhone. It’s not a fair trade. We have to close this gap. Silicon Valley can help us.

Today I am announcing our intent to expand the Information Technology Exchange Program. This program, whose pilot is just getting underway, will allow for the exchange of IT and cyber security personnel between government and industry. We want senior IT managers in the Department to incorporate more commercial practices. And we want seasoned industry professionals to experience first-hand the unique challenges we face at DoD. As we expand participation I hope many of you consider applying. The Department, and the nation, need your expertise.

I am also announcing a program to better utilize cyber expertise within the National Guard and Reserve. Our Department has many soldiers, sailors, airman, and marines who work in the civilian IT world, and who continue to serve their country in the National Guard or Reserves. To make better and more systematic use of their specialized skills, we will increase the number of Guard and Reserve units that have a dedicated cyber mission.

A third and more challenging avenue of industry-government cooperation is how to extend the high level of protection afforded by active defenses to private networks that operate infrastructure crucial to our military and our economy.

Because of our intelligence capabilities, government has a deep and unique awareness of certain cyber threats. This classified “threat-based” information, and the technology we have developed to employ it in network defense, can significantly increase the effectiveness of cyber security practices that industry is already carrying out.

We already share unclassified threat information on a limited scale with defense companies whose networks contain sensitive information. How to share classified signatures and the technology to employ them across the full range of industrial sectors that support the military and underpin the economy is a pressing policy question. Owners and operators of critical infrastructure could benefit from the protections that active defenses provide. We have the technology and know-how to apply them in a civilian context. The real challenge at this point is developing the legal and policy framework to do so.

It is clear that securing our networks will require unprecedented industry and government cooperation. With the threats we face, working together is not only a national imperative. It is also one of the great technical challenges of our time.

The Department of Defense is moving aggressively to protect our own networks and to support civil authorities as they defend our nation’s digital infrastructure. Over the longer term, we must develop technology that reverses the present advantage held by those seeking to steal our secrets and cause us harm.

My hope is that by working together, we can replicate the success achieved over ten years ago, by the partnership between government and industry to address Y2K in advance of the year 2000.

The challenge we face today in cyber security is similar in several respects. It is global in scope. It involves nearly everything digital. And it will require government working with industry at all levels.

But unlike Y2K, we now face malicious, adaptive actors, bent on harm, rather than inanimate computer code written without the millennium in mind.

In Y2K, we also had a known deadline to focus the nation’s attention and resources.

We have a deadline in today’s effort as well—preventing a destructive cyber attack. We just don’t know when it is.

My sincere hope is that we can solve this problem before an incident happens, rather than needing an incident to get it solved.

With Y2K, we succeeded. Our response was so well managed, and so effective, it left people wondering whether there was ever a problem at all.

That brings me to what you can do.

In the cyber domain, soldiers are not the only ones on the front lines. Scientists, engineers, and innovators are too, including all the companies represented here today.

Whether by developing more secure technologies in labs and start-ups or by serving in our cyber workforce yourselves, there is an opportunity for each of us to lay our hands on the wheel of innovation, and to spin it faster and with greater purpose.

A keystroke can travel twice around the world to devastating effect in 300 milliseconds—literally the blink of an eye. But if we harness the knowledge in industry to the resources in government, we can create defenses that act even faster.

Throughout American history, at moments of great challenge and crisis, industry and the private sector have stood up, partnered with government, and developed the capabilities to keep our country safe. The incredible technologies that have resulted—including the internet itself—have made our military the most effective fighting force in the world, and our economy the most advanced of any nation.

I’m confident that, just like generation of innovators and pioneers before you, your talents, your expertise, your vision, can help keep our nation strong and prosperous for generations to come.